The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
--
Endi S. Dewata
From 65e621bbb8f4181e83b7391fc9e6cd6f8ad7a376 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata <edew...@redhat.com>
Date: Mon, 24 Oct 2011 18:18:10 -0500
Subject: [PATCH] Removed HBAC deny rule warning.
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
---
freeipa.spec.in | 7 +--
install/html/Makefile.am | 1 -
install/html/hbac-deny-remove.html | 83 --------------------------------
install/ui/hbac.js | 44 -----------------
install/ui/ipa.css | 5 --
install/ui/ipa.js | 9 ----
install/ui/test/bin/update_ipa_init.sh | 27 ++++++++++-
install/ui/test/data/ipa_init.json | 9 +---
install/ui/webui.js | 6 --
9 files changed, 29 insertions(+), 162 deletions(-)
delete mode 100644 install/html/hbac-deny-remove.html
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 56127037e31a9ed91c9f305f2e80b6f0ccb40189..11729b23a1030c9bf97f991a70e5bbef4f1229fd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -342,8 +342,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
-ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
- %{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@@ -501,7 +499,6 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
-%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -526,7 +523,6 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
-%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
@@ -619,6 +615,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Mon Oct 24 2011 Endi S. Dewata <edew...@redhat.com> - 2.99.0-9
+- Removed hbac-deny-remove.html
+
* Fri Oct 21 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-8
- Default to systemd for Fedora 16 and onwards
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index c310be6d2351bd8268368f971e93d33ec1e6bf20..46e8683c855bd093cf609b1fbc5e3df2d771e9de 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,7 +5,6 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
- hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
deleted file mode 100644
index 7debfea769503035e1c402dccd082eb1721a80f5..0000000000000000000000000000000000000000
--- a/install/html/hbac-deny-remove.html
+++ /dev/null
@@ -1,83 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta charset="utf-8">
- <title>IPA: Identity Policy Audit</title>
-
- <script type="text/javascript" src="../ui/jquery.js"></script>
-
- <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
- <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
- <link rel="stylesheet" type="text/css" href="ipa_error.css" />
-
-
-</head>
-
-<body class="info-page">
-
- <div class="container_1">
- <div class="header-logo">
- <img src="../ui/ipalogo.png" /><img src="../ui/ipabanner.png" />
- </div>
- <div class="textblockkrb">
- <h1>Removal of HBAC Deny Rules.</h1>
- <p>FreeIPA has dropped support for DENY rules from the HBAC
- specification. </p>
- <p>The former design of HBAC specifies that<p>
- <ol>
- <li> If no ALLOW rules match, access is denied</li>
- <li> If one or more ALLOW rules match and no DENY rules match,
- access is allowed</li>
- <li>If one or more DENY rules match, access is denied</li>
- </ol>
- <p>Thus, DENY rules exist only to provide exceptions from the ALLOW
- rules. There exists no ALLOW+DENY combination that cannot be
- constructed from ALLOW rules only.[1]</P>
-
- <p>DENY rules introduce a lot of edge-cases for evaluation. The most
- important of which is the availability of the group membership for
- the user logging in. Depending on the mechanism used to log in (for
- example, GSSAPI over SSH or cross-realm Kerberos trust where the
- user is provided by the PAC), SSSD's cache may not have a complete
- list of groups for this user. If the login is occurring during
- offline mode (where SSSD cannot contact the LDAP server to refresh
- the user's groups), SSSD cannot determine whether DENY rules would
- match for the user. This therefore translates into a potential
- security issue.</p>
-
- <p>We implemented a workaround in the SSSD evaluator to resolve this by
- guaranteeing that we do a full lookup of all groups referenced by
- rules while we are retrieving the rules from FreeIPA. However, this
- requires at least one additional lookup against the LDAP server
- (possibly many if there is need to resolve nestings). This results
- in a significantly slower login while online.</p>
-
- <p>We also have issues related to source host evaluation. Some
- applications will provide an IP address instead of a hostname in the
- pam_rhost attribute. Our only recourse here is to perform a
- reverse-DNS lookup to try and identify the real hostname(s) of the
- server. However, in many real-world environments, reverse DNS is
- unavailable or misconfigured. In the case of ALLOW rules, this would
- lead to a match failure and an implicit denial. However, a failure
- to properly match a DENY rule can result in unexpected access being
- granted. This is a potentially serious security issue.</p>
-
- <p>Given these edge cases (and performance issues of the noted
- workaround), The FreeIPA team decided to drop DENY rules from the
- HBAC specification and limit HBAC only to ALLOW rules (which are
- much safer). Beyond the obvious advantages for our implementation,
- this should make it less complex for users to write their rules.</p>
-
- <p>[1] Some rules are complex to simulate, such as "Allow access from
- all PAM services EXCEPT telnet". But a safer and clearer
- implementation approach does all access via whitelist. If a FreeIPA
- implementation is using an exception rule, the administrators
- should re-evaluate the justification.
- </p>
- </div>
-
- </div>
-
-</body>
-
-</html>
diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index fb57dd1582c70aaf3c18eaee087751b1dd4c3b49..e05e43f6b06651c4fe390526dba2262e1f088922 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -554,47 +554,3 @@ IPA.hbacrule_details_facet = function(spec) {
return that;
};
-
-
-IPA.hbac_deny_warning_dialog = function(container) {
- var dialog = IPA.dialog({
- 'title': 'HBAC Deny Rules found'
- });
-
- var link_path = "config";
- if (IPA.use_static_files){
- link_path = "html";
- }
-
- dialog.create = function() {
- dialog.container.append(
- "HBAC rules with type deny have been found."+
- " These rules have been deprecated." +
- " Please remove them, and restructure the HBAC rules." );
- $('<p/>').append($('<a/>',{
- text: 'Click here for more information',
- href: '../' +link_path +'/hbac-deny-remove.html',
- target: "_blank",
- style: 'target: tab; color: blue; '
- })).appendTo(dialog.container);
- };
-
- dialog.create_button({
- name: 'edit',
- label: 'Edit HBAC Rules',
- click: function() {
- dialog.close();
- IPA.nav.show_page('hbacrule', 'search');
- }
- });
-
- dialog.create_button({
- name: 'ignore',
- label: 'Ignore for now',
- click: function() {
- dialog.close();
- }
- });
-
- dialog.open();
-};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index be4ad361e6f9262a8ecb6a1744cce9cf25e29f1e..afdeed35dff77ee2b7721d98ff0d99c0f1e8300d 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -696,11 +696,6 @@ span.main-nav-off > a:visited {
padding-left: 0.5em;
}
-.hbac-deny-rule {
- color: red;
-}
-
-
.search-table tfoot td {
padding: 0.5em 0 0 1em;
border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 381f128c2b2f441669c2f660ccce882ab2ce288c..15088f61abb275d69514bef1814b5e6e3df9b889 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -169,15 +169,6 @@ var IPA = ( function () {
}
}));
- batch.add_command(IPA.command({
- entity: 'hbacrule',
- method: 'find',
- options:{"accessruletype":"deny"},
- on_success: function(data, text_status, xhr) {
- that.hbac_deny_rules = data;
- }
- }));
-
batch.execute();
};
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 2fc9c217075f5cd7fcd8fa07b031a0d6861a5ad4..26cbc9679f6cef6b17adc4003b9f98a9197cfec9 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -15,7 +15,30 @@ then
exit 1
fi
-
+json="{
+ \"method\": \"batch\",
+ \"params\": [
+ [
+ {
+ \"method\": \"i18n_messages\",
+ \"params\": [[], {}]
+ },
+ {
+ \"method\": \"user_find\",
+ \"params\":[[], { \"whoami\": true, \"all\": true }]
+ },
+ {
+ \"method\": \"env\",
+ \"params\": [[], {}]
+ },
+ {
+ \"method\": \"dns_is_enabled\",
+ \"params\": [[], {}]
+ }
+ ],
+ {}
+ ]
+}"
curl -v\
-H "Content-Type: application/json"\
@@ -24,6 +47,6 @@ curl -v\
--delegation always\
-u :\
--cacert /etc/ipa/ca.crt\
- -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}'\
+ -d "$json"\
-X POST\
https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 78b18ee118e563d4b118028ba36c41d7d8593a39..15f19f12d4589fb2d0df96c817982b1092805f01 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -2,7 +2,7 @@
"error": null,
"id": null,
"result": {
- "count": 5,
+ "count": 4,
"results": [
{
"error": null,
@@ -533,13 +533,6 @@
"result": true,
"summary": null,
"value": ""
- },
- {
- "count": 0,
- "error": null,
- "result": [],
- "summary": "0 HBAC rules matched",
- "truncated": false
}
]
}
diff --git a/install/ui/webui.js b/install/ui/webui.js
index 189cddda1bc21ca01583802301fbfddcbb846e51..daa22b22a5fb42edc7cc624715b14a911361cd07 100644
--- a/install/ui/webui.js
+++ b/install/ui/webui.js
@@ -167,12 +167,6 @@ $(function() {
IPA.nav.update();
$('#login_header').html(IPA.messages.login.header);
-
- if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){
- if (IPA.nav.name === 'admin'){
- IPA.hbac_deny_warning_dialog();
- }
- }
}
--
1.7.5.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
